Support Questions

nsabharwal · ‎01-23-2016

jstraub · ‎01-23-2016

@Neeraj Sabharwal Yes, but I am afraid not without a little bit of additional work. Maybe copying the database and adjusting some values like repo id, ranger address, etc. is an alternative to look into (not recommended though!). Here is the API-way 🙂

You can access all policies of a repository (e.g. hdfs/hadoop) by using:

http://<ranger_address>:6080/service/plugins/policies/download/<clustername>_hadoop

For example:

curl -ivk -H "Content-type:application/json" -u <user>:<password> http://<ranger_address>:6080/service/plugins/policies/download/bigdata_hadoop

This will return:

{
   "serviceName":"bigdata_hadoop",
   "serviceId":1,
   "policyVersion":23,
   "policyUpdateTime":1450245444000,
   "policies":[
      {
         "id":2,
         "guid":"1448089401967_197_71",
         "isEnabled":true,
         "createdBy":"Admin",
         "updatedBy":"Admin",
         "createTime":1448118201000,
         "updateTime":1449582864000,
         "version":5,
         "service":"bigdata_hadoop",
         "name":"Ranger_audits",
         "description":"",
         "resourceSignature":"6dbd7c49e533baa8082b48895acabf20",
         "isAuditEnabled":false,
         "resources":{
            "path":{
               "isRecursive":true,
               "values":[
                  "/apps/solr/ranger_audits"
               ],
               "isExcludes":false
            }
         },
         "policyItems":[
            {
               "users":[
                  "solr"
               ],
               "groups":[


               ],
               "delegateAdmin":false,
               "accesses":[
                  {
                     "isAllowed":true,
                     "type":"read"
                  },
                  {
                     "isAllowed":true,
                     "type":"write"
                  },
                  {
                     "isAllowed":true,
                     "type":"execute"
                  }
               ],
               "conditions":[


               ]
            }
         ]
      },
      {
         ...
	 ...
      }
      ...
   ],
   ...
   ...
   ...
}

After downloading all policies of a repo you can use the Rest calls I mentioned here => https://community.hortonworks.com/questions/10826/rest-api-url-to-configure-ranger-objects.html to recreate the policies in your other cluster.

Note: Make sure the users from Cluster1 are available in Cluster2 as well, otherwise Ranger will throw an exception when you create a policy for a user that doesn't exist.

Thats it 🙂

View solution in original post

jstraub · ‎01-23-2016

@Neeraj Sabharwal Yes, but I am afraid not without a little bit of additional work. Maybe copying the database and adjusting some values like repo id, ranger address, etc. is an alternative to look into (not recommended though!). Here is the API-way 🙂

You can access all policies of a repository (e.g. hdfs/hadoop) by using:

http://<ranger_address>:6080/service/plugins/policies/download/<clustername>_hadoop

For example:

curl -ivk -H "Content-type:application/json" -u <user>:<password> http://<ranger_address>:6080/service/plugins/policies/download/bigdata_hadoop

This will return:

{
   "serviceName":"bigdata_hadoop",
   "serviceId":1,
   "policyVersion":23,
   "policyUpdateTime":1450245444000,
   "policies":[
      {
         "id":2,
         "guid":"1448089401967_197_71",
         "isEnabled":true,
         "createdBy":"Admin",
         "updatedBy":"Admin",
         "createTime":1448118201000,
         "updateTime":1449582864000,
         "version":5,
         "service":"bigdata_hadoop",
         "name":"Ranger_audits",
         "description":"",
         "resourceSignature":"6dbd7c49e533baa8082b48895acabf20",
         "isAuditEnabled":false,
         "resources":{
            "path":{
               "isRecursive":true,
               "values":[
                  "/apps/solr/ranger_audits"
               ],
               "isExcludes":false
            }
         },
         "policyItems":[
            {
               "users":[
                  "solr"
               ],
               "groups":[


               ],
               "delegateAdmin":false,
               "accesses":[
                  {
                     "isAllowed":true,
                     "type":"read"
                  },
                  {
                     "isAllowed":true,
                     "type":"write"
                  },
                  {
                     "isAllowed":true,
                     "type":"execute"
                  }
               ],
               "conditions":[


               ]
            }
         ]
      },
      {
         ...
	 ...
      }
      ...
   ],
   ...
   ...
   ...
}

After downloading all policies of a repo you can use the Rest calls I mentioned here => https://community.hortonworks.com/questions/10826/rest-api-url-to-configure-ranger-objects.html to recreate the policies in your other cluster.

Note: Make sure the users from Cluster1 are available in Cluster2 as well, otherwise Ranger will throw an exception when you create a policy for a user that doesn't exist.

Thats it 🙂

nsabharwal · ‎01-23-2016

@Jonas Straub Very nice! Thank you for sharing this. 🙂

smartninja723 · ‎06-02-2016

@Jonas Straub, @Neeraj Sabharwal, @Sagar Shimpi : Guys, using this I could export the entire policy repository using :

<Ranger_Host:IP>/service/public/api/policy

and also using

http://<ranger_address>:6080/service/plugins/policies/download/<clustername>_hadoop

I went through the link shared which talks about exporting policies one by one. Is there a way to export entire repository instead of exporting policies one after another?

aervits · ‎01-23-2016

Our latest tutorial on ranger walls you through importing a policy with rest @Neeraj Sabharwal

Arun- · ‎01-27-2017

I have used above API calls and executed on my cluster it worked below is the procedure I have followed for one hdfs service and one policy.

Objective:

Export ranger policies from cluster1 to cluster2

variables: <clustername>=DEVLHDP <policy_name>=<clustername>_hadoop-1-20160615193010

To download all policies from cluster1

http://ranger1:6080/service/plugins/policies/download/<clustername>_hadoop

get service from cluster1 ranger1

curl -iv -u admin:xxxx -H "Content-type:application/json" -X GET http://ranger1:6080/service/public/v2/api/service/name/<clustername>_hadoop

copy the json output to ranger-service.json

create service in new cluster2 ranger2

curl -iv -u admin:xxxxx -d @ranger-service.json -H "Content-Type: application/json" -X POST http://ranger2:6080/service/public/v2/api/service

Getting a sample policy from cluster1 ranger1

curl -iv -u admin:xxxxx -H "Content-type:application/json" -X GET http://ranger1:6080/service/public/v2/api/service/<clustername>_hadoop/policy/<clustername>_hadoop-1...

copy the json output to ranger_policy.json

create policy in new cluster2 ranger2

curl -iv -u admin:xxxxx -d @ranger_policy.json -H "Content-Type: application/json" -X POST http://ranger2:6080/service/public/v2/api/policy

Tested in HDP 2.4.2 which has Apache Ranger 0.5.2

Ref:

https://issues.apache.org/jira/browse/RANGER-1214

If this helped, pls vote/accept answer.

Arun- · ‎02-03-2017

http://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.4.2/bk_Security_Guide/content/ranger_rest_api_cr...

Cloudera Community

Support Questions

Is there a way to export ranger policies from cluster1 and import into cluster?